New Locky Ransomware Trojan Spotted this August 2017

A new August 2017 ransomware campaign began on August 9th and is attacking unsuspecting users around the world. First detected by the Comodo Threat Intelligence Lab, this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations’ infrastructures.

Within just the first few days of the coordinated ransomware attack, tens of thousands of users were being targeted by a simple-looking email with an attachment and little to no content in the email body. The attachment is an archive file, with the name “E 2017-08-09 (580).vbs,” (for each email, “580” is an ever-changing number and “vbs” is an ever-changing extension).

The attached file names are similar, but the extension is a .doc, zip, pdf, or image file (a .jpg ,or tiff). The attachment actually downloads “IKARUSdilapidated,” the newest member of the “Locky” ransomware family. Named for the appearances of “IKARUSdilapidated” in the code string, it is clearly related to the “Locky” Trojan and shares some of its characteristics.

Social engineering is used to get the user to click and when the user does as instructed, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions, including the common ones on most machines. After encryption, a message displayed on the user’s desktop instructs them to download the Tor browser, which is popular because it allows for anonymous browsing, and to then visit a specific criminally-operated web site for further information.

The web site contains instructions that demand a ransom payment of between 0.5 and 1 bitcoin (currently, one bitcoin varies in value between 500-1000 Euros) to release the now-encrypted files to (hopefully) decrypt their files.

Phishing and Trojan experts from the Comodo Threat Intelligence Lab (part of Comodo Threat Research Labs) detected these new “Locky” ransomware attacks and verified that they began on August 9th with more than 62,000 instances of phishing emails having been detected at Comodo-protected endpoints within just the first three days. The attachments were read as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case, the lab’s human experts.

The Threat Intelligence Lab’s analysis of the thousands of emails sent in the phishing campaign revealed this attack data: 11,625 different IP addresses in 133 different countries are being used to perform this campaign. The countries housing the most attack servers are Vietnam, India, Mexico, Turkey, and Indonesia.

The team checking the IP range owners saw that most are telecom companies and ISPs. This indicates that the IP addresses belong to infected, now compromised computers (also called “zombie computers”). This quantity of servers can only be used for a specific task if they are formed into a large bot network, or botnet, and have a sophisticated command and control server architecture. This means the description of the elements of this August 2017 malware attack now includes the term “botnet,” in addition to ransomware, Trojan, and phishing attack.

It also shows the increasing sophistication, organization, and size of new ransomware attacks and adds more credence to the call to act from security experts everywhere to “adopt a default deny security posture” and deny entry into your IT infrastructure to new, “unknown” files.

Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL), said, “This latest ransomware phishing attack that commenced on August 9th was unique in its combination of sophistication and size, with botnet and over 11 thousand IP addresses from 133 countries involved in just the first stage of the attack. When artificial intelligence couldn’t identify these unknown files, the full resources of the lab were needed to analyze and identify the code in the file and render a verdict; in this case the verdict was “bad” and we’ve now added it to our blacklist and malware signature list.“

Orhan went on to state, “Using ‘default deny’ security with containment of unknown files is what protected our users from this new threat. Even ‘default allow’ plus the latest machine learning algorithms and A.I. would not have been sufficient to prevent infection.”

He added that botnets, like the one created in this attack, were particularly powerful weapons for criminals to use to scale their ransomware attacks and that by building on previous cyberattack Trojans like 2016’s “Locky,” it is getting easier to develop higher end ransomware that will not be recognized as “bad” by leading endpoint protection platforms.

Technical Analysis – A Deeper Dive
If you’d like to know more about this threat and dive deeper in the code and how the attack was deployed, read the new “Comodo Threat Intelligence Lab SPECIAL REPORT: AUGUST 2017 – IKARUSdilapidated.“ This special report and its appendix include:

The Comodo Threat Intelligence Lab technical analysis of a contained sample of IKARUSdilapidated

The scripts run during execution

More detail on the extensions and locations of the servers used in the attack